Dmitry Belorossov and Citadel

The matchless background and distinguished legal forte of New York’s marquee defense attorney, Arkady Bukh, has sheared decades from the sentence Dmitry Belorossov initially faced. Belorossov, 22, had been accused of operating Citadel, a botnet, and helping develop improvements to the malware which led to over $500 million in losses. Instead of leaving prison as a very old man, Belorossov will be free within a year.

The sentencing follows Belorossov’s guilty plea, in July, 2014, to one count of conspiring to commit computer fraud. Belorossov was accused of playing a small part in a $500 million global cybercrime scheme that infected over 11 million computers globally.

Belorossov was extradited from Spain in 2014. The ongoing extradition of foreigners, accused of criminal activity, to America has created a debate between the US and Russia. The debate has sometimes grown heated, fueled in part by Russia’s refusal to hand over Edward Snowden.

Snowden Connection?

The subject of extradition has always been an issue between America and Russia. It has become a thornier issue since Edward Snowden was allowed to remain in Moscow. While American President Obama has continued to call for Snowden’s return, Russia has used the situation to highlight many extradition requests of its own that American administration officials have ignored.

The fact that Russia and America do not have an extradition treaty was driven home when Russia claimed it could not hand Snowden over when he was in the transit zone of a Moscow airport.

Citadel, which first appeared in 2011, was initially designed to capture banking and credit card information from computers. The malware also had the ability to block antivirus software.

A 27-year old Russian, identified only as “Mark“, was arrested in Fredrikstad, Norway at the request of America’s Federal Bureau of Investigation (FBI). The Norwegian newspaper, VG, notes that Mark has been held under house arrest while the FBI attempts to work out his extradition to America. Mark’s extradition is being fought by Russia, who says the evidence against Mark is almost non-existent.

American specialists consider Mark as the software developer behind Citadel.

Citadel has evolved since it was initially found in the cyber badlands. Through evolution, Citadel has become a massively distributed malware that experts believe has compromised millions of computers globally.

When Citadel installs on a computer, it opens channels of communication with command-and-control (C&C) servers. The malware receives a configuration file with operating instructions.

These software instructions tell the infected computer that targets to seek, the type of information to capture and which functions to enable. As long as the malware is interacting with the C&C, the configuration file can be updated with data about new targets and destinations.

IBM research has found that an average of 1 in 500 computers, globally, is infected with Citadel, or another version of APT malware at any point in time. Since Citadel has already infected millions of machines, it is simple for cyber-attacks to take advantage of the malware in new cyber schemes. All violators need to do is implement a new configuration file and anticipate infected machines to access the targets.

Citadel is highly evasive and bypasses the most rigorous threat detection security system. Citadel may lay idle on a user’s computer for years until it is triggered by a user action. This hibernation means that many users, and organizations, do not know their machines have been infected.